KHIKA App for IIS WebServer
Contents
- 1 Introduction
- 2 How to Install the KHIKA App for IIS WebServer?
- 3 How to get your IIS WebServer data into KHIKA ?
- 4 Adding the device in the KHIKA
- 5 Extract key from KHIKA OSSEC Server
- 6 Installing OSSEC Agent for IIS WebServer
- 7 Insert unique OSSEC key in Windows OSSEC Agent
- 8 Reload Configuration
- 9 Verifying OSSEC data collection
- 10 How to check the output of KHIKA IIS WebServer App ?
- 10.1 Report_IIS_Webserver_Http_Error_Status Dashboard
- 10.2 Report_IIS_Webserver_Top_N_URL Dashboard
- 10.3 Report_IIS_Webserver_Total_Request_Per_User Dashboard
- 10.4 Report_IIS_Webserver_Traffic_Categorization Dashboard
- 10.5 Report_IIS_Webserver_Top_N_Referers Dashboard
- 10.6 Report_IIS_Webserver_Referrer_Detail Dashboard
- 10.7 Report_IIS_webserver_loading_delays Dashboard
- 10.8 Report_IIS_Webserver_Avg_Qtime Dashboard
- 10.9 KHIKA Alerts for IIS WebServer
Introduction
IIS webserver form an important part of organisations’ networks and hence by monitoring your webserver is imperative.
With KHIKA App for IIS webserver, you can :
- Monitor hundreds of IIS servers at one central place.
- Monitor and shows the http error status for accessed URL on your server.
- Monitor and shows top n URL and also shows average time taken,total time taken by particular URL on your server.
- monitor user wise total request on your servers.
We explain below steps to configure and interpret the output of KHIKA App for IIS Webserver. The key parts to get here are:
- Install the KHIKA App for IIS Webserver
- Get data from your IIS Webserver into KHIKA Aggregator
How to Install the KHIKA App for IIS WebServer?
The section assumes that you have already configured KHIKA Data Aggregator in your environment. If not, please read how to configure KHIKA Data Aggregator and perform the pre-requisite steps.
This section explains how to pick and install the KHIKA application for IIS WeServers. Installing the application shall put together and activate the adapter (parser) that can handle Windows data format, the dashboards and the alert rules preconfigured.
Go to “Applications” tab in the “Configure” menu.
Check whether the appropriate Workspace is selected. Note: Application is always loaded in a Workspace. Read the section on Workspaces to know more about KHIKA Workspaces. Also select your KHIKA aggregator name in the Node dropdown. This is to ensure that we are collecting data from the desired source and into the correct workspace which is ready with the configured application and components.
Click on the “+” button next to the IIS WebServer App. A pop up appears.
Users can now select the contents of the application required. For example, on the dropdown for “Reports”, click to expand it. List of all reports can be seen. User can individually select the reports required by checking on the checkbox next to each. Alternatively, check on “Select All” option to get all of them. Similarly you can select contents from Alerts and Dashboards.
Click “Install” to proceed with the installation of the selected Application. If you have created multiple windows workspaces in KHIKA, and installed Windows App previously, you will get below pop up.
Click on OK to proceed. If this is not the case, ignore this step. After successful installation, following status should be displayed.
Click on Close button. This simple procedure to install a KHIKA App, automatically configures the Adapter (required for parsing the data from raw syslogs), calculated KHIKA reports on raw data, Visualizations, Dashboards and Alerts – all in one click.
How to get your IIS WebServer data into KHIKA ?
KHIKA recommends, popular open source OSSEC integration to monitor the Windows servers. There are 2 components in OSSEC Integration with KHIKA.
- OSSEC Agent – Installed on each Windows server which we wish to monitor
- OSSEC Server – Present on KHIKA Data Aggregator (which you have installed before)
The OSSEC agent and server communicate with each other using a unique key for encryption. The main steps to start getting data from a Windows server are
- Add the Windows server details in KHIKA
- Extract a unique key for this device from KHIKA
- Installing Ossec Agent on Windows Server
- Insert this key in the Ossec agent (ie. on your Windows server to be monitored)
- Reload Configuration in KHIKA
- Verify data collection in KHIKA
Each of these steps is explained in detail in the further sections.
Adding the device in the KHIKA
Go to Adapter tab, from the “Configure” menu. Click on the “Manage Devices” icon.
Pop up appears for device details
Click on “Add / Modify Device” tab. Another pop up appears for device details.
Enter the expected device name. Also, in the field for IP address, enter “any”. Please note : Always enter the IP Address as “any”. This is a safe and sure option to establish a connection with the server where we are suggesting ossec agent to use “any” of its configured IPs to be used to connect with the OSSEC Server. The device may have multiple NIC cards/IP addresses and unless we are sure of what IP will be used for connection, the connect will fail. Hence, use “any”
Select appropriate time zone of this device. In the “Node” field dropdown, select the name of the Aggregator or local data collector for this device. Click on Submit. We get a success message and device is added successfully to this adaptor.
Finally, go to Workspace tab and click on “Apply Configuration” icon.
We get a confirmation message here too, saying, “Changes Applied”
Extract key from KHIKA OSSEC Server
Now the expected Windows server is added in the relevant KHIKA Adapter or parser that will parse this data type. To see this device entry, click on “Manage Devices” icon next to the adaptor .
A pop up with device details of the adaptor appears. Select “List of Devices” tab.
Click on the “Get OSSEC Key” icon next to this device.
This is the unique key for this device created by the OSSEC server. Paste this key in the Ossec agent which is installed on this Windows server.
Installing OSSEC Agent for IIS WebServer
Download OSSEC agent for Microsoft Windows from KHIKA install directory. The agent is shipped with KHIKA installer and is located on KHIKA Server in /opt/KHIKA/UTILS/OSSEC directory. For Windows you will need to select the Windows installer with filename ossec-win32-agent.zip. This works for both 32-bit and 64-bit windows servers OS versions.
Copy the downloaded installer on your Windows server (using winscp or your favourite scp client) and run installer with local "Admin" on the Server. Please Note : It is extremely important to install the OSSEC agent with admin privileges as this agent reads the security logs and in order to read it successfully, it has to be the local Admin. Select the installer file and Press "Run"
Click Next
Select "I Agree" and proceed
Keep the default selection in the next window and click Next
Enter the location to install the OSSEC agent on the local drive and let the installation complete
After the installation is complete, verify that the OSSEC HIDS Service is successfully installed on your Windows Server. (Go to your Service Control Panel and check for OSSEC HIDS Service)
NOTE :- You will have to repeat these steps on all the Windows Servers that you wish to monitor using KHIKA.
Insert unique OSSEC key in Windows OSSEC Agent
Perform following simple steps on the Windows Agent In the OSSEC Agent installation directory, run win32ui.exe to open-up a window as shown below – Run as Administrator.
In the field “OSSEC Server IP” - Enter the IP Address of the KHIKA data aggregator or collector node and paste the copied key (generated by OSSEC server above) in the box against "Authentication key" and click Save. From "Manage" drop-down, select "Restart" to restart the OSSEC Agent. Click on the Refresh button in the bottom next to Save.
Wait for a few minutes. Repeat above steps for all the agents to be added.
Reload Configuration
Login into the KHIKA portal. Login into the KHIKA portal.
- Go to Configure
- Select workspace, eg. Apache_WebServer
- Go to Node Tab
- Click Reload Config
This step restarts OSSEC Server. Wait for a few minutes for server to restart.
Verifying OSSEC data collection
Once the device is added successfully, we can check the data for this device on Discover screen. Go to “Discover” from the main menu. Select the appropriate index for the same. Raw (khika formatted) data of all your Windows servers added is seen here.
To see the data for our newly added device, enter search string in lower case – tl_src_host : name_of_the_device_added_in_lower_case and click on the search icon.
How to check the output of KHIKA IIS WebServer App ?
Report_IIS_Webserver_Http_Error_Status Dashboard
This Dashboard shows the information about HTTP status code for accessed URL's.This dashboard also shows top 10 URL's which are accessed most,Server IP and HTTP status code.
Elements in the Dashboard are explained below :
Visualization | Description |
Server IP wise Status | X axis : ServerIP(s) Y axis : ServerIP wise status code like 200,400,404, etc. |
Client IP wise Status | X axis : ClientIP(s) Y axis : ClientIP wise status code like 200,400,404,504, etc. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- In the graph "Server IP wise Status" , click and select any one serverIP. This shall isolate respective status code and URL accessed for that selected serverIP and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.
- alternatively,In the graph "Client IP wise Status " click and select any one clientIP. This shall isolate respective status code and URL accessed for that selected clientIP and reflected across the dashboard.
Report_IIS_Webserver_Top_N_URL Dashboard
This dashboard shows top URL's. Also gives the detail about domain and top hits on server.
Elements in the Dashboard are explained below :
Visualization | Description |
Contribution of URL | This pie chart shows different types of URL accessed by server. |
Server Name wise Hits | X axis : Names of Server Y axis : Count of such request hits for each server. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Contribution of Domain | This pie chart shows different types of domain. |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- On the bar graph "Server Name wise Hits" select any one servernme . This shall isolate the number of hits for requested URL for selected servername and also shows Requested URL's,Domain for selected servername across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this server name only.
- In the "Contribution of Domain" pie,click on the any one domain,filer get applied on this selected domain, according to this filter rest of the elements on the dashboard then show data for that domain only like URL's for this domain,server Name, etc.
Report_IIS_Webserver_Total_Request_Per_User Dashboard
This dashboard shows detail information of users and requested URL's which are accessed by users .
Elements in the Dashboard are explained below :
Visualization | Description |
Contribution of Server Name | Contribution of servers. |
User wise Request | X axis : one or more user Y axis : Count of request hits for that user. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- In the graph "User wise Request " , click and select any one user. This shall isolate the requested hits for that selected user and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this user only.
- In the pie "Contribution of Server Name " click and select any one servername. This shall isolate the respective user and requested hits for that servername and reflected across the dashboard.
Report_IIS_Webserver_Traffic_Categorization Dashboard
This dashboard shows traffic categorization like DIRECT or REFERRED. Also it shows serverip wise category , top URL's and Servers.
Elements in the Dashboard are explained below :
Visualization | Description |
Server IP wise Category | X axis : ServerIP(s) Y axis : count of Category. |
Client IP wise Referrer | X axis : ClientIP(s) Y axis : count of Referrer. |
Contribution of URL | Contribution of different types of URL |
Contribution of Category | Contribution of different types of Category. |
Contribution of Referrer | Contribution of different types of Referrer. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- On the bar graph "Server IP wise Category" select any one serverIP. This shall isolate respective category and its count for selected serverIP and also domain and accessed URL for that serverIP across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.
- Inversely, In the bar graph "Client IP wise Referrer" ,click on the any one clientIP to select and rest of the elements on the dashboard then show data for that clientIP only.
Report_IIS_Webserver_Top_N_Referers Dashboard
This Dashboard shows top referrers.Also gives the details of domain and top hits on server.
Elements in the Dashboard are explained below :
Visualization | Description |
Contribution of Domain | Contribution of different types of Domain. |
Server Name wise Hits | X axis : ServerName(s) Y axis :servername wise hits. |
Contribution of Referrer | Contribution of different types of Referrer. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- On the bar graph "Contribution of referrer" select any one. This shall isolate count of requested hits for selected referrer and also shows domain and server name for selected referrer across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer only.
- Inversely, In the "Contribution of Domain" pie, click on the any one domain to select and rest of the elements on the dashboard then show data for that domain only.
Report_IIS_Webserver_Referrer_Detail Dashboard
This dashboard shows referrer details. Also it shows top URL's, Referrer, client IP, which are requested for URL and server IP.
Elements in the Dashboard are explained below :
Visualization | Description |
Contribution of Referrer | Contribution of different types of Referrer. |
Contribution of URL | Contribution of different types of URL . |
Server IP wise Hits | X axis : ServerIP Y axis : Count of request hits for that ServerIP. |
Client IP wise Hits | X axis : ClientIP Y axis : Count of request hits for that Client IP. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- In the pie chart "Contribution of Referrer" click and select any one referrer type.This shall isolate count of hits for that selected type and also shows server IP and accessed URL for that referrer type reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this referrer type only.
- alternatively,In the graph "Client IP wise Hits" click and select any one clientIP. This shall isolate request hits and also shows referrer and accessed URL for that clientip reflected across the dashboard.
Report_IIS_webserver_loading_delays Dashboard
This dashboard shows the information about total time taken ,average time taken for accessed URI ,server IP.
Elements in the Dashboard are explained below :
Visualization | Description |
URL wise Total Time | X axis : URL's Y axis : Total time required and count of most expensive request for particular URL. |
Server IP Hits | X axis : ServerIP Y axis : Count of request hits for that ServerIP. |
Contribution of Server IP | contribution of different types of serverIP. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- In the bar graph "URL wise Total Time" click and select any one URL.This shall shows total time required for that selected URL and also shows count of most expensive request for that URL and reflected across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.
- alternatively,In the bar graph "Server IP Hits" click and select any one serverIP.click on the any one serverIP to select and rest of the elements on the dashboard then show data for that serverIP only.
Report_IIS_Webserver_Avg_Qtime Dashboard
This Dashboard shows the average time taken by accessed URL and it's query.
Elements in the Dashboard are explained below :
Visualization | Description |
URL wise Hits | X axis :Name of URL's Y axis : Count of request hits for that URL. |
Server IP Hits | X axis : ServerIP Y axis : Count of request hits for that ServerIP. |
Contribution of Query | This pie chart shows contribution of different types of Query. |
Time trend | Trend of login events over time. Useful to identify unusual spikes at a glance. X axis : date & time Y axis : count of events |
Summary Table | Detailed data with timestamp and count |
Some suggestions for useful interaction with this dashboard could be :
- In the pie chart "Contribution of Query" select any one top Query. This shall isolate the count of hits for selected query and also server IP for selected query across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this serverIP only.
- In the bar graph "URL wise Hits" select any one URL. This shall isolate the count of request hits for selected URL and also query and servername for that URL across the dashboard. i.e the other pie charts, time trends and summary table shall show filtered information for this URL only.
KHIKA Alerts for IIS WebServer
Alerts are generated when certain ciritical behaviour is observed in the system – real time and notified on the Alerts Dashboard in KHIKA as well as can be received in email to relevant stakeholders. The details of KHIKA Alerts are mentioned here Click on “Alert Dashboard” on left menu. Certain alerts for Windows are pre-canned and shipped with KHIKA, keeping in mind the requirements of the users. They are mentioned in the table below :
Alerts Description
Alert Name | Description | Suggested Resolution |
IIS communication with possible IOC or bad IP | This alert is triggered when Malicious/bad IPs are trying to communicate with IIS Webserver. | KHIKA shares community based threat intelligence (TI) every 24 hours. TI has list of IP addresses with bad reputation. Every bad IP is marked with number of communities reporting it, name of each community and confidence indicating how confident are we about the reputation. This alert is generated when communication with a bad IP is let through.
If communication with a bad IP is happening, it must be blocked immediately as it could be a possible attack or data exfiltration. You can check how log this communication is happening by simply searching the malicious IP in the logs. You can also check what internal IP addresses are communicating with this IP addresses and track the real users behind those internal IP addresses. Cross-check the reputation of the IP with popular websites such as ipvoid.com, virustotal.com. If you see an internal IP constantly getting involved in malicious communication (with same or multiple external IP addresses), you may install agents on the internal nodes involved and check the real user and process responsible for this communication. It is critical to block this rogue communication. |
IIS dangerous content posted to webserver,files with executable extensions | This alert is triggered when any of the client trying to posted some dangerous files on webserver with in one minute. | IIS dangerous content posted to webserver. Victim has posted some potentially dangerous files like executable, scripts, shared objects, etc. on webserver.
Kindly check upload activity done by the user and verify the uploaded content for policy violation. |
IIS multiple errors for same URL when it is not accessible | This alert is triggered when client want to access invalid/unauthorized URL and god multiple errors like 404,405 etc within one minute. | Getting multiple errors for the same url.
This kind of alert may occur due to incorrect application url e.g. user trying to access invalid/non-authorized url. Kindly check the legitimacy of the requesting users. |